Lur*_*k21 2 spring oauth spring-security
我以为我的授权实现已经完成,但是当尝试检索UserDetails对象时,我得到的只是用户名。
我正在使用具有以下详细信息的oauth。
配置AuthenticationManager:
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
完成此操作后,我可以调试到userDetailsService中:
@Service
public class UserServiceImpl implements UserService, UserDetailsService {
@Override
public UserDetails loadUserByUsername(String email) throws UsernameNotFoundException {
MyUser persistedUser = userRepository.findByEmail(email);
if (persistedUser == null) {
throw new UsernameNotFoundException(String.format("The email %s doesn't exist", email));
}
List<GrantedAuthority> authorities = new ArrayList<>();
MyUser inMemoryUser = new MyUser(persistedUser.getEmail(), null, persistedUser.getEnabled(), false,
false, false, authorities);
return inMemoryUser;
}
}
这样就很好了,我的客户又回来了JWT。但是我在调试以后的控制器方法时发现了以下问题。
@GetMapping
public @ResponseBody Iterable<Curriculum> getMyCurriculums(@AuthenticationPrincipal MyUser injectedUser) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
MyUser principle = (MyUser) auth.getPrincipal();
return curriculumService.findByUser(principle);
}
在这种情况下,injectedUser = null,auth是OAuth2Authentication,principal是String-用户名。应该是MyUser
您应该配置Spring Security将jwt令牌解码为MyUser对象。
首先定义一个自定义OAuth2Authentication封装MyUser。
public class OAuth2AuthenticationUser extends OAuth2Authentication {
private MyUser myUser;
public OAuth2AuthenticationUser(OAuth2Request storedRequest, Authentication userAuthentication) {
super(storedRequest, userAuthentication);
}
public MyUser getMyUser() {
return myUser;
}
public void setMyUser(MyUser) {
this.myUser= myUser;
}
}
然后在“安全配置”类中,如下配置jwt令牌解码:
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey("SIGNING_KEY");
converter.setAccessTokenConverter(getAuthenticationAccessTokenConverter());
return converter;
}
private DefaultAccessTokenConverter getAuthenticationAccessTokenConverter() {
return new DefaultAccessTokenConverter() {
@Override
public OAuth2Authentication extractAuthentication(Map<String, ?> map) {
OAuth2Authentication authentication = (OAuth2Authentication) super.extractAuthentication(map);
OAuth2AuthenticationUser authenticationUser =
new OAuth2AuthenticationUser(authentication.getOAuth2Request(), authentication.getUserAuthentication());
MyUser myUser = new MyUser();
// Example properties
myUser.setId(map.get("id") != null ? Long.valueOf(map.get("id").toString()) : null);
myUser.setUsername(map.get("user_name") != null ? map.get("user_name").toString() : null);
myUser.setFullName(map.get("fullName") != null ? map.get("fullName").toString() : null);
myUser.setCustomerId(map.get("customerId") != null ? Long.valueOf(map.get("customerId").toString()) : null);
myUser.setCustomerName(map.get("customerName") != null ? map.get("customerName").toString() : null);
// More other properties
authenticationUser.setMyUser(myUser);
return authenticationUser;
}
};
}
然后,您可以MyUser从Spring Security上下文访问对象,如下所示:
private static MyUser getMyUser() {
OAuth2AuthenticationUser authentication = (OAuth2AuthenticationUser) SecurityContextHolder.getContext().getAuthentication();
return (authentication != null && authentication.getMyUser() != null ? authentication.getMyUser() : new MyUser());
}
这非常适合无状态环境,因为对用户详细信息的数据库访问已最小化,您只需要jwt令牌即可。
| 归档时间: |
|
| 查看次数: |
835 次 |
| 最近记录: |